11-10-2015 02:03 PM
I have been working to get our new CPPM server up running. This new server is located in a remote office which has a latency of around 300ms+. It has been joined to our existing cluster.
I am curious about the topology of how ClearPass Guest works in this scenario.
We have a captive portal that is being hosted from the CPPM.
The guest network in our remote office is setup to connect back to the publisher ClearPass and not the local subscriber. The registration of the guest accounts all occurs against the publisher. The authentication though occurs against the local subscriber. This is where I am running into issues. It seems that the subsciber node is not able to sync the data in time and I am left with a message stating that the user does not exist in the Guest Repository.
I am just curious about what the proper setup is for this scenario? I feel like I am missing the boat when it comes to how the ClearPass Guest should be structured. As well as in general. the latency has presenting challenges I didn't expect.
I was thinking that for the Captive Portal configuration instead of pointing it at the CPPM in the local site I would point it to the publisher. Is this the correct way to handle this? Or am I completely out to lunch?
11-10-2015 07:08 PM
Take a look at the ClearPass Deployment Guide. It has specific recommendations. Check the section on Cluster Design Considerations.
11-12-2015 07:51 AM
Thank you for your reply.
I read over the document.
Everything for the most part makes sense.
we are definitely experiencing issues with the latency.
The way our Guest is setup is correct, but because of the replication delays we run into issues.
The geographical zoning configuration sounds like something we may need to implement. However, I do have some concerns about the runtime data that isn't synchronized. The document explicitly mentions that the endpoints db information isn't. We do have users that travel between the locations on regular basis and it would be handy to have this data present in our remote locations.
I believe that the major issue is related to the link we have to our remote location. It is very small, well under what is recommended in this document.
I will continue to investigate, thank you for this document!
11-12-2015 07:46 PM
I was able to overcome the guest latency issue by having the guest authentication sent back to the publisher.
Seems to work as a temporary fix until we address the real issue behind the latency.
So much more to learn!
11-13-2015 07:19 AM
I was wondering if someone might be able to help with how the Endpoints db works when in a cluster.
If an enforcement policy is writing attributes into the Endpoints db for a particular endpoint, where is that actually happening? Is that happening in the subscriber or in the publisher? If the radius request is being handled by a subscriber, does that mean the write is happening in the subscriber?
I am a little confused on that point.